Most all modern central processing units, namely those based on the x86 architecture, employ system management random access memory (SMRAM) to carry out trusted system management mode (SMM) operations. While in SMM, the processor can execute code and access data held in an area of system memory known as SMRAM. SMRAM is protected from all operating system and device accesses. As such, in reliance upon the privileged nature of SMM, developers continue to place increasing amounts of secure data within SMRAM.
In addition to SMRAM, most modern CPUs also utilize a local advanced programmable interrupt controller (APIC) for managing CPU interrupts. Most APICs are implemented within the CPU and mapped to physical memory, where the APIC mapping may be moved within physical memory by altering a base address (e.g., “APICBASE”) within the APICBASE model specific register of the processor. This APICBASE register can be written even when the processor is not running in SMM. As such, an unauthorized user may utilize the APIC to attack a computer system running in SMM by moving the APIC mapping over SMRAM, thereby derailing SMRAM requests and forcing trusted SMM code to read different values than it previously wrote. Additionally, unauthorized users may place the APIC mapping over code stacks within physical memory to jump out of SMRAM upon return from SMM subroutines, thereby enabling the mounting of larger attacks.